Firm unveils encrypted free email

Hush Communications today announced the debut of HushMail, a Web-based email service that uses a Java applet to encrypt and decrypt messages on senders' and recipients' computers. Users can only send encrypted messages to other HushMail accounts.

The 1,024-bit encrypted messages cannot be read by anyone else, according to the company. Users also can set up anonymous accounts.

The new product could raise the ire of law enforcement officials, who worry that email with strong cryptography--not to mention cryptography that is free and widely available--could further limit law enforcement's options in communications surveillance.

"It doesn't sound like it's illegal, but is it a law-enforcement problem? Sure it is," said FBI spokesman Frank Scafidi.

HushCom USA launched the site with the promise of providing privacy for email senders on the Web. Email encryption is currently available, most famously in the form of Network Associates' Pretty Good Privacy product. But the complication of exchanging encryption keys, the expense of encryption products, and the complication of negotiating U.S. export law for strong cryptography have kept current privacy solutions from mainstream adoption.

HushMail has automated the process, offered it for free, and found a legal way to offer strong encryption.

HushMail launches as free email providers and other Web communication tools are becoming more frequent targets of law enforcement and lawyers seeking information on behalf of their clients. HushMail does not have a plan in place were it to be served with a subpoena, according to HushCom board member and investor Jon Gilliam.

"We are providing the encryption, and anything people send is between them," said Gilliam, who is also president of Austin technical recruiting firm the Adderley Group. "We'll have to deal with that issue when we come to it. We do have logs of messages, but we are not able to read them. [A law enforcement subpoena] would be a hairy issue, and we have not considered it yet."

Is it legal?
Encryption lawyers suggest that HushMail would be on solid legal ground in the face of a subpoena.

"If they really don't have the data, they can't give up what they don't got," said Michael Froomkin, law professor at the University of Miami. "That's a pretty good defense."

HushMail has avoided a separate legal hurdle, which is that the United States prohibits the export of encryption tools as strong as what the company offers. That law does not apply to HushCom, which is based in Anguilla, British West Indies.

"Anguilla is under U.K. protection--it's autonomous and free of encryption laws," said Gilliam. "It's also a tax haven, which is nice."

The White House's crypto policy has been under fire by lawmakers and federal courts. The government regulates encryption, citing national security concerns. The Ninth Circuit Court of Appeals earlier this month ruled that the policy violates the First Amendment rights of a math professor who wanted to post crypto code on his Web sites on grounds that source code is a language that enjoys free speech protection. The Justice Department is expected to appeal that ruling.

However, the ruling does not apply to off-the-shelf products such as HushMail.

HushMail is not the only cryptography firm based in Anguilla. Strong-cryptography firm C2Net also is incorporated there. The company's international intellectual property rights are developed in the United Kingdom and held there because the chances of the law changing in Anguilla are "minimal," according to C2Net chief executive Bill Rowzee.

HushMail is not the first Web email site offering encryption. German language portal Web.de offers similar functionality at its FreeMail site.

Cryptography experts said HushMail could wind up popularizing encrypted email.

"Hopefully this means there will be more encrypted email, that I can get an encrypted email account that would work end to end," said Bruce Schneier, a cryptography consultant with Counterpane Systems. "It seems like a really good idea. One of the big problems with email security is that you have to buy something or download something."

For now HushMail is advertising-supported. But HushCom is eyeing an acquisition exit strategy even in its inaugural week.

"We're pretty sure this technology is something the very big players would like to have," said Gilliam. "We feel that it's going to be a pretty priceless company to have, and the big boys are going to want to take a look at it."

Gilliam specifically mentioned Microsoft, which acquired Hotmail; Yahoo, which acquired Rocketmail and maintains Yahoo Mail; and Network Associates.

HushMail is not yet available for the Macintosh platform.